When a Voice Isn’t Really a Voice: What the New AI Scam Means for Your Business

Last week, a story popped up on WRDW about the new AI voice scam.  In this particular incident, a woman lost thousands of dollars after her daughter had been kidnapped…only to find out her daughter’s voice had been cloned and she had been swindled. 

You’ve probably seen stories like this and thought “that’s crazy…but it’s uncommon, and it’s not really relevant to me or my business.” 

But the reality is that you should see stories like these as a flashing warning sign (both in your personal and professional life).  Although data is hard to gather, something like 60% of fraud committed against SMBs goes unreported.   

Think about this risk against a risk we take every day: driving. Every year, you have a 1 in 17 chance of getting in a car wreck.  By contrast, PEW Research reports that 32% of Americans have been a target of a cyber scam in the past year. In fact, most Americans report getting fraud texts, calls, or emails WEEKLY, and 1 in 5 Americans have fallen for a cyber scam.   

“Not me,” you say – but even if YOU don’t, you have people who work for you that may be susceptible to these attacks.  In any case, the sophistication of these attacks now means that even savvy cyber users have an increasingly difficult time discerning whether a particular email or call is a scam.  Let’s look at how these scams might play out in real life business. 

3 Brief Illustrations of AI Generated Voice Scam for SMBs

1. The “Owner Said Send It” Scam 

It’s Friday afternoon. Payroll is about to run at a regional plumbing company. The office manager gets a call from the owner. Or at least… it sounds exactly like him. 

He says he’s on a job site and needs an urgent wire sent to a supplier to release equipment for a big commercial job. The tone is rushed and slightly irritated. 

“Can you just send it now? I’ll explain later.” 

The office manager hesitates for a second… but it’s clearly his voice. She sends, say, $18,500. 

An hour later, the real owner walks into the office.  The office manager asks if the vendor sent over the equipment.  The owner has no idea what the office manager is talking about.  

 

2. The Vendor Payment Change

An HVAC company receives a call from someone who sounds like the owner of their long-time equipment supplier. He explains their bank changed and asks the contractor to send the next invoice payment to a new account. 

The voice sounds identical. Same accent. Same tone. The office sends the $27,000 equipment payment to the new account. 

Three weeks later the supplier calls asking why the bill hasn’t been paid.

  

3. The Fake IT Emergency 

A busy medical office receives a call from someone who sounds exactly like the technician from their IT provider. The voice says they detected suspicious activity on the network and need to log into the firewall immediately. 

They ask the office manager to confirm the administrator password so they can “lock down the system.” The voice sounds right. The urgency feels real. Within minutes, the attacker has full network access. Two weeks later the practice discovers patient data has been stolen. 

Now they’re dealing with breach notifications, compliance problems, and angry patients. 

Now, how do you address problems like these?  Here are 3 principles to avoid AI-generated Voice Fraud (but note these also apply to text or email, as well). 

 

3 Practical Ways to Prevent AI Voice Fraud

1. Train staff to question urgency

Scammers push employees to act before they think. The very first step in preventing cyber attacks of any kind is human behavior.  Scammers do not give the soft sell – they often create a sense of immediate urgency. ANY communication of that sort should be a red flag for employees to STOP rather than GO.  But that mindset needs training.

2. Use callback verification

Call the person back using a number you already have.  If an out-of-the-ordinary request for money or password credentials comes up (whether in text, email, or phone call), employees need to be trained to verify this.  Clearly, the callback should be on an already-known phone number (not the phone number listed in the message).  

3.  Create a “safe word” for executives…or families

Some companies now use internal verification phrases for unusual requests.  This may sound extreme, but it is particularly important if you are in business that may require periodic request outside normal channels OR if those requests are occasionally urgent or emergency-related.  

Conclusion 

The lesson here isn’t that every phone call or email is a scam. It’s that the environment has changed. For years, we trained ourselves to recognize suspicious messages by obvious clues: bad grammar, strange email addresses, or voices that didn’t quite sound right. Today, those clues are disappearing. AI tools allow attackers to imitate voices, writing styles, and communication patterns with surprising accuracy. 

That doesn’t mean businesses are helpless. It simply means the solution has shifted from recognition to verification. 

Think back to the driving example. Most people will never experience a serious accident, but we still wear seat belts, carry insurance, and follow safety rules because the risk is real enough to justify preparation. 

Cybersecurity works the same way. 

Businesses that establish simple safeguards dramatically reduce their exposure to scams like these. These safeguards include training employees to question urgency, verifying unusual requests, and creating clear processes for sensitive action. 

Today’s threat environment is significant and real, and risk management with cyber attacks has unfortunately become a very necessary reality for business owners.